ikev1: Allow immediate deletion of rekeyed CHILD_SAs

When charon rekeys a CHILD_SA after a soft limit expired, it is only
deleted after the hard limit is reached.  In case of packet/byte limits
this may not be the case for a long time since the packets/bytes are
usually sent using the new SA.  This may result in a very large number of
stale CHILD_SAs and kernel states.  With enough connections configured this
will ultimately exhaust the memory of the system.

This patch adds a strongswan.conf setting that, if enabled, causes the old
CHILD_SA to be deleted by the initiator after a successful rekeying.

Enabling this setting might create problems with implementations that
continue to use rekeyed SAs (e.g. if the DELETE notify is lost).

1 files changed, 8 insertions, 0 deletions

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index a4e03d4af..382003644 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -61,6 +61,14 @@ charon.crypto_test.required = no
 charon.crypto_test.rng_true = no
 	Whether to test RNG with TRUE quality; requires a lot of entropy.
 
+charon.delete_rekeyed = no
+	Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
+
+	Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
+	Reduces the number of stale CHILD_SAs in scenarios with a lot of rekeyings.
+	However, this might cause problems with implementations that continue to
+	use rekeyed SAs until they expire.
+
 charon.dh_exponent_ansi_x9_42 = yes
 	Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
 	strength.